tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Leon Rosenberg" <>
Subject Re: Securing Tomcat Article for Review
Date Tue, 09 Jan 2007 11:40:21 GMT
Who's the target audience?
Things like:

Change files in CATALINA_HOME/conf to be readonly (400)
Rename CATALINA_HOME/conf/server.xml to
CATALINA_HOME/conf/server-original.xml and rename
CATALINA_HOME/conf/server-minimal.xml to
CATALINA_HOME/conf/server.xml. The minimal configuration provides the
same basic configuration, but without the nested comments is much
easier to maintain and understand. Do not delete the original file as
the comments make it useful for reference if you ever need to make
changes - e.g. enable SSL.

won't work for dummies (due to missing rights) if they'll follow the
guide step by step.

>Make sure tomcat user has read/write access to /tmp and write (300 -
yes, only > write/execute) access to CATALINA_HOME/logs

What is the sense of it? I mean if the tomcat user owns this directory
why remove read access to it?

>If you are on a Windows machine you will be able to change the port
attribute of >the connector within the Catalina service from 8080 to
80. This allows you to use >tomcat directly to serve all requests.
Depending on your requirements it may not >be good enough to serve
directly from Tomcat so you may like to consider;
>    * Use IIS / Apache running on port 80 and mod_jk to proxy requests to Tomcat

Using IIS in front, are you kidding ?:-)) It's like open your arms and
welcome every single intruder on the net :-)

Also by using apache in front of tomcat you rather loose security than gain it.
At least this is my personal opinion :-)

Overall a nice article which I think provides a good quick-start.


On 1/9/07, Darren <> wrote:
> I've been working on an article about securing tomcat for the Open
> Web Application Security Project (OWASP).  The article details some
> quick and easy ways to improve the 'out of the box' security of
> tomcat from the perspective of a sysadmin.  It's written with tomcat
> 5.5 in mind, but almost everything will apply to 6.0 when it is
> released.  A lot of it will also apply to older versions of tomcat,
> but no specific testing has been done to establish this.
> Have a read of the article at
> Securing_tomcat and reply to the list with any comments - good or bad!.
> Thanks,
> Darren
> ---------------------------------------------------------------------
> To start a new topic, e-mail:
> To unsubscribe, e-mail:
> For additional commands, e-mail:

To start a new topic, e-mail:
To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message